Weekend Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

Amazon Web Services SOA-C02 AWS Certified SysOps Administrator - Associate (SOA-C02) Exam Practice Test

Demo: 65 questions
Total 425 questions

AWS Certified SysOps Administrator - Associate (SOA-C02) Questions and Answers

Question 1

A SysOps administrator has set up a new Amazon EC2 instance as a web server in a public subnet. The instance uses HTTP port 80 and HTTPS port 443.

The SysOps administrator has confirmed internet connectivity by downloading operating system updates and software from public repositories. However, the SysOps administrator cannot access the instance from a web browser on the internet.

Which combination of steps should the SysOps administrator take to troubleshoot this issue? (Select THREE.)

Options:

A.

Ensure that the inbound rules of the instance's security group allow traffic on ports 80 and 443.

B.

Ensure that the outbound rules of the instance's security group allow traffic on ports 80 and 443.

C.

Ensure that ephemeral ports 1024-65535 are allowed in the inbound rules of the network ACL that is associated with the instance's subnet.

D.

Ensure that ephemeral ports 1024-65535 are allowed in the outbound rules of the network ACL that is associated with the instance's subnet.

E.

Ensure that the filtering rules for any firewalls that are running on the instance allow inbound traffic on ports 80 and 443.

F.

Ensure that AWS WAF is turned on for the instance and is blocking web traffic.

Question 2

A company plans to launch a static website on its domain example com and subdomain www example.com using Amazon S3. How should the SysOps administrator meet this requirement?

Options:

A.

Create one S3 bucket named example.com for both the domain and subdomain.

B.

Create one S3 bucket with a wildcard named '.example.com tor both the domain and subdomain.

C.

Create two S3 buckets named example.com and www.exdmpte.com. Configure the subdomain bucket to redirect requests to the domain bucket.

D.

Create two S3 buckets named http//example.com and http//" exampte.com. Configure the wildcard (') bucket to redirect requests to the domain bucket.

Question 3

A company has launched a social media website that gives users the ability to upload images directly to a centralized Amazon S3 bucket. The website is popular in areas that are geographically distant from the AWS Region where the S3 bucket is located. Users are reporting that uploads are slow. A SysOps administrator must improve the upload speed.

What should the SysOps administrator do to meet these requirements?

Options:

A.

Create S3 access points in Regions that are closer to the users.

B.

Create an accelerator in AWS Global Accelerator for the S3 bucket.

C.

Enable S3 Transfer Acceleration on the S3 bucket.

D.

Enable cross-origin resource sharing (CORS) on the S3 bucket.

Question 4

A company has an AWS Cloud Formation template that creates an Amazon S3 bucket. A user authenticates to the corporate AWS account with their Active Directory credentials and attempts to deploy the Cloud Formation template. However, the stack creation fails.

Which factors could cause this failure? (Select TWO.)

Options:

A.

The user's IAM policy does not allow the cloudformation:CreateStack action.

B.

The user's IAM policy does not allow the cloudformation:CreateStackSet action.

C.

The user's IAM policy does not allow the s3:CreateBucket action.

D.

The user's IAM policy explicitly denies the s3:ListBucket action.

E.

The user's IAM policy explicitly denies the s3:PutObject action

Question 5

The security team is concerned because the number of AWS Identity and Access Management (IAM) policies being used in the environment is increasing. The team tasked a SysOps administrator to report on the current number of IAM policies in use and the total available IAM policies.

Which AWS service should the administrator use to check how current IAM policy usage compares to current service limits?

Options:

A.

AWS Trusted Advisor

B.

Amazon Inspector

C.

AWS Config

D.

AWS Organizations

Question 6

A company wants to build a solution for its business-critical Amazon RDS for MySQL database. The database requires high availability across different geographic locations. A SysOps administrator must build a solution to handle a disaster recovery (DR) scenario with the lowest recovery time objective (RTO) and recovery point objective (RPO).

Which solution meets these requirements?

Options:

A.

Create automated snapshots of the database on a schedule. Copy the snapshots to the DR Region.

B.

Create a cross-Region read replica for the database.

C.

Create a Multi-AZ read replica for the database.

D.

Schedule AWS Lambda functions to create snapshots of the source database and to copy the snapshots to a DR Region.

Question 7

A SysOps administrator applies the following policy to an AWS CloudFormation stack:

What is the result of this policy?

Options:

A.

Users that assume an IAM role with a logical ID that begins with "Production" are prevented from running the update-stack command.

B.

Users can update all resources in the stack except for resources that have a logical ID that begins with "Production".

C.

Users can update all resources in the stack except for resources that have an attribute that begins with "Production".

D.

Users in an IAM group with a logical ID that begins with "Production" are prevented from running the update-stack command.

Question 8

A SysOps administrator is unable to launch Amazon EC2 instances into a VPC because there are no available private IPv4 addresses in the VPC. Which combination of actions must the SysOps administrator take to launch the instances? (Select TWO.)

Options:

A.

Associate a secondary IPv4 CIDR block with the VPC

B.

Associate a primary IPv6 CIDR block with the VPC

C.

Create a new subnet for the VPC

D.

Modify the CIDR block of the VPC

E.

Modify the CIDR block of the subnet that is associated with the instances

Question 9

A global company handles a large amount of personally identifiable information (Pll) through an internal web portal. The company's application runs in a corporate data center that is connected to AWS through an AWS Direct Connect connection. The application stores the Pll in Amazon S3. According to a compliance requirement, traffic from the web portal to Amazon S3 must not travel across the internet.

What should a SysOps administrator do to meet the compliance requirement?

Options:

A.

Provision an interface VPC endpoint for Amazon S3. Modify the application to use the interface endpoint.

B.

Configure AWS Network Firewall to redirect traffic to the internal S3 address.

C.

Modify the application to use the S3 path-style endpoint.

D.

Set up a range of VPC network ACLs to redirect traffic to the Internal S3 address.

Question 10

A company is creating a new multi-account environment in AWS Organizations. The company will use AWS Control Tower to deploy the environment. Users must be able to create resources in approved AWS Regions only. The company must configure and govern all accounts by using a standard baseline configuration Which combination of steps will meet these requirements in the MOST operationally efficient way? (Select TWO.)

Options:

A.

Create a permission set and a custom permissions policy in AWS IAM Identity Center (AWS Single Sign-On) for each user to prevent each user from creating resources in unapproved Regions.

B.

Deploy AWS Config rules in each AWS account to govern the account's security compliance and to delete any resources that are created in unapproved Regions.

C.

Deploy AWS Lambda functions to configure security settings across all accounts in the organization and to delete any resources that are created in unapproved Regions.

D.

Implement a service control policy (SCP) to deny any access to AWS based on the requested Region.

E.

Modify the AWS Control Tower landing zone settings to govern the approved Regions.

Question 11

A SysOps Administrator is managing a web application that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances run in an

EC2 Auto Scaling group. The administrator wants to set an alarm for when all target instances associated with the ALB are unhealthy.

Which condition should be used with the alarm?

Options:

A.

AWS/ApplicationELB HealthyHostCount <= 0

B.

AWS/ApplicationELB UnhealthyHostCount >= 1

C.

AWS/EC2 StatusCheckFailed <= 0

D.

AWS/EC2 StatusCheckFailed >= 1

Question 12

A SysOps administrator is reviewing VPC Flow Logs to troubleshoot connectivity issues in a VPC. While reviewing the togs the SysOps administrator notices that rejected traffic is not listed.

What should the SysOps administrator do to ensure that all traffic is logged?

Options:

A.

Create a new flow tog that has a titter setting to capture all traffic

B.

Create a new flow log set the tog record format to a custom format Select the proper fields to include in the tog

C.

Edit the existing flow log Change the fitter setting to capture all traffic

D.

Edit the existing flow log. Set the log record format to a custom format Select the proper fields to include in the tog

Question 13

A SysOps administrator needs to control access to groups of Amazon EC2 instances using AWS Systems Manager Session Manager. Specific tags on the EC2 instances have already been added.

Which additional actions should the administrator take to control access? (Choose two.)

Options:

A.

Attach an IAM policy to the users or groups that require access to the EC2 instances.

B.

Attach an IAM role to control access to the EC2 instances.

C.

Create a placement group for the EC2 instances and add a specific tag.

D.

Create a service account and attach it to the EC2 instances that need to be controlled.

E.

Create an IAM policy that grants access to any EC2 instances with a tag specified in the Condition element.

Question 14

A company is running an application on premises and wants to use AWS for data backup All of the data must be available locally The backup application can write only to block-based storage that is compatible with the Portable Operating System Interface (POSIX)

Which backup solution will meet these requirements?

Options:

A.

Configure the backup software to use Amazon S3 as the target for the data backups

B.

Configure the backup software to use Amazon S3 Glacier as the target for the data backups

C.

Use AWS Storage Gateway, and configure it to use gateway-cached volumes

D.

Use AWS Storage Gateway, and configure it to use gateway-stored volumes

Question 15

A company has an application that is deployed 10 two AWS Regions in an active-passive configuration. The application runs on Amazon EC2 instances behind an Application Load Balancer (ALB) in each Region. The instances are in an Amazon EC2 Auto Scaling group in each Region. The application uses an Amazon Route 53 hosted zone (or DNS. A SysOps administrator needs to configure automatic failover to the secondary Region.

What should the SysOps administrator do to meet these requirements?

Options:

A.

Configure Route 53 alias records that point to each ALB. Choose a failover routing policy. Set Evaluate Target Health to Yes.

B.

Configure CNAME records that point to each ALB. Choose a failover routing policy. Set Evaluate Target Health to Yes.

C.

Configure Elastic Load Balancing (ELB) health checks for the Auto Scaling group. Add a target group to the ALB in the primary Region. Include the EC2 instances in the secondary Region as

targets.

D.

Configure EC2 health checks for the Auto Scaling group. Add a target group to the ALB in the primary Region. Include the EC2 instances in the secondary Region as targets.

Question 16

A SysOps administrator receives notification that an application that is running on Amazon EC2 instances has failed to authenticate to an Amazon RDS database To troubleshoot, the SysOps administrator needs to investigate AWS Secrets Manager password rotation

Which Amazon CloudWatch log will provide insight into the password rotation?

Options:

A.

AWS CloudTrail logs

B.

EC2 instance application logs

C.

AWS Lambda function logs

D.

RDS database logs

Question 17

A company creates a new member account by using AWS Organizations. A SysOps administrator needs to add AWS Business Support to the new account

Which combination of steps must the SysOps administrator take to meet this requirement? (Select TWO.)

Options:

A.

Sign in to the new account by using 1AM credentials. Change the support plan.

B.

Sign in to the new account by using root user credentials. Change the support plan.

C.

Use the AWS Support API to change the support plan.

D.

Reset the password of the account root user.

E.

Create an IAM user that has administrator privileges in the new account.

Question 18

A company monitors its account activity using AWS CloudTrail. and is concerned that some log files are being tampered with after the logs have been delivered to the account's Amazon S3 bucket.

Moving forward, how can the SysOps administrator confirm that the log files have not been modified after being delivered to the S3 bucket?

Options:

A.

Stream the CloudTrail logs to Amazon CloudWatch Logs to store logs at a secondary location.

B.

Enable log file integrity validation and use digest files to verify the hash value of the log file.

C.

Replicate the S3 log bucket across regions, and encrypt log files with S3 managed keys.

D.

Enable S3 server access logging to track requests made to the log bucket for security audits.

Question 19

A company needs to monitor the disk utilization of Amazon Elastic Block Store (Amazon EBS) volumes The EBS volumes are attached to Amazon EC2 Linux Instances A SysOps administrator must set up an Amazon CloudWatch alarm that provides an alert when disk utilization increases to more than 80%.

Which combination of steps must the SysOps administrator lake lo meet these requirements? (Select THREE.)

Options:

A.

Create an 1AM role that includes the Cloud Watch AgentServerPol icy AWS managed policy Attach me role to the instances

B.

Create an 1AM role that includes the CloudWatchApplicationInsightsReadOnlyAccess AWS managed policy. Attach the role to the instances

C.

Install and start the CloudWatch agent by using AWS Systems Manager or the command line

D.

Install and start the CloudWatch agent by using an 1AM role. Attach the Cloud Watch AgentServerPolicy AWS managed policy to the role.

E.

Configure a CloudWatch alarm to enter ALARM state when the disk_used_percent CloudWatch metric is greater than 80%.

F.

Configure a CloudWatch alarm to enter ALARM state when the disk_used CloudWatch metric is greater than 80% or when the disk_free CloudWatch metric is less than 20%.

Question 20

A company uses Amazon Elasticsearch Service (Amazon ES) to analyze sales and customer usage data. Members of the company's geographically dispersed sales team are traveling. They need to log in to Kibana by using their existing corporate credentials that are stored in Active Directory. The company has deployed

Active Directory Federation Services (AD FS) to enable authentication to cloud services.

Which solution will meet these requirements?

Options:

A.

Configure Active Directory as an authentication provider in Amazon ES. Add the Active Directory server's domain name to Amazon ES. Configure Kibana to use Amazon ES authentication.

B.

Deploy an Amazon Cognito user pool. Configure Active Directory as an external identity provider for the user pool. Enable Amazon Cognito authentication for Kibana on Amazon ES.

C.

Enable Active Directory user authentication in Kibana. Create an IP-based custom domain access policy in Amazon ES that includes the Active Directory server's IP address.

D.

Establish a trust relationship with Kibana on the Active Directory server. Enable Active Directory user authentication in Kibana. Add the Active Directory server's IP address to Kibana.

Question 21

A company uses AWS Organizations to host several applications across multiple AWS accounts. Several teams are responsible for building and maintaining the infrastructure of the applications across the AWS accounts.

A SysOps administrator must implement a solution to ensure that user accounts and permissions are centrally managed. The solution must be integrated with the company's existing on-premises Active Directory environment. The SysOps administrator already has enabled AWS 1AM Identity Center (AWS Single Sign-On) and has set up an AWS Direct Connect connection.

What is the MOST operationally efficient solution that meets these requirements?

Options:

A.

Create a Simple AD domain, and establish a forest trust relationship with the on-premises Active Directory domain. Set the Simple AD domain as the identity source for 1AM Identity Center. Create the required role-based permission sets. Assign each group of users to the AWS accounts that the group will manage.

B.

Create an Active Directory domain controller on an Amazon EC2 instance that is joined to the on-premises Active Directory domain. Set the Active Directory domain controller as the identity source for 1AM Identity Center. Create the required role-based permission sets. Assign each group of users to the AWS accounts that the group will manage.

C.

Create an AD Connector that is associated with the on-premises Active Directory domain. Set the AD Connector as the identity source for 1AM Identity Center. Create the required role-based permission sets. Assign each group of users to the AWS accounts that the group will manage.

D.

Use the built-in SSO directory as the identity source for 1AM Identity Center. Copy the users and groups from the on-premises Active Directory domain. Create the required role-based permission sets. Assign each group of users to the AWS accounts that the group will manage.

Question 22

A company wants to prohibit its developers from using a particular family of Amazon EC2 instances The company uses AWS Organizations and wants to apply the restriction across multiple accounts

What is the MOST operationally efficient way for the company lo apply service control policies (SCPs) to meet these requirements?

Options:

A.

Add the accounts to an organizational unit (OUf Apply the SCPs to the OU.

B.

Add the accounts to resource groups in AWS Resource Groups. Apply the SCPs to the resource groups.

C.

Apply the SCPs to each developer account.

D.

Enroll the accounts with AWS Control Tower. Apply the SCPs to the AWS Control Tower management account.

Question 23

A company has a secure website running on Amazon EC2 instances behind an Application Load Balancer (ALB). An SSL certificate from AWS Certificate Manager (ACM) is used on the ALB. Users with legacy web browsers are experiencing issues with the website.

How should the SysOps administrator resolve these issues in the MOST operationally efficient manner?

Options:

A.

Create a new SSL certificate in ACM and install the new certificate on the ALB to support legacy web browsers.

B.

Create a second ALB and install a custom SSL certificate with a different domain name on the second ALB to support legacy web browsers.

C.

Remove the ALB from the configuration and install a custom SSL certificate on each web server.

D.

Update the SSL negotiation configuration of the ALB with a security policy that contains ciphers for legacy web browsers.

Question 24

A company needs to view a list of security groups that are open to the internet on port 3389.

What should a SysOps administrator do to meet this requirement?

Options:

A.

Configure Amazon GuardDuly to scan security groups and report unrestricted access on port 3389.

B.

Configure a service control policy (SCP) to identify security groups that allow unrestricted access on port 3389

C.

Use AWS Identity and Access Management Access Analyzer to find any instances that have unrestricted access on port 3389.

D.

Use AWS Trusted Advisor to find security groups that allow unrestricted access on port 3389.

Question 25

A company is storing media content in an Amazon S3 bucket and uses Amazon CloudFront to distribute the content to its users. Due to licensing terms, the company is not authorized to distribute the content in some countries. A SysOps administrator must restrict access to certain countries.

What is the MOST operationally efficient solution that meets these requirements?

Options:

A.

Configure the S3 bucket policy to deny the GetObject operation based on the S3:LocationConstraint condition.

B.

Create a secondary origin access identity (OAI). Configure the S3 bucket policy to prevent access from unauthorized countries.

C.

Enable the geo restriction feature in the CloudFront distribution to prevent access from unauthorized countries.

D.

Update the application to generate signed CloudFront URLs only for IP addresses in authorized countries.

Question 26

A company's SysOps administrator needs to change the AWS Support plan for one of the company's AWS accounts. The account has multi-factor authentication (MFA) activated, and the MFA device is lost.

What should the SysOps administrator do to sign in?

Options:

A.

Sign in as a root user by using email and phone verification. Set up a new MFA device. Change the root user password.

B.

Sign in as an 1AM user with administrator permissions. Resynchronize the MFA token by using the 1AM console.

C.

Sign in as an 1AM user with administrator permissions. Reset the MFA device for the root user by adding a new device.

D.

Use the forgot-password process to verify the email address. Set up a new password and MFA device.

Question 27

A SysOps administrator must analyze Amazon CloudWatch logs across 10 AWS Lambda functions for historical errors. The logs are in JSON format and are stored in Amazon S3. Errors sometimes do not appear in the same field, but all errors begin with the same string prefix.

What is the MOST operationally efficient way for the SysOps administrator to analyze the log files?

Options:

A.

Use S3 Select to write a query to search for errors. Run the query across all log groups of interest.

B.

Create an AWS Glue processing job to index the logs of interest. Run a query in Amazon Athena to search for errors.

C.

Use Amazon CloudWatch Logs Insights to write a query to search for errors. Run the query across all log groups of interest.

D.

Use Amazon CloudWatch Contributor Insights to create a rule. Apply the rule across all log groups of interest.

Question 28

A company is planning to host its stateful web-based applications on AWS A SysOps administrator is using an Auto Scaling group of Amazon EC2 instances The web applications will run 24 hours a day 7 days a week throughout the year The company must be able to change the instance type within the same instance family later in the year based on the traffic and usage patterns

Which EC2 instance purchasing option will meet these requirements MOST cost-effectively?

Options:

A.

Convertible Reserved Instances

B.

On-Demand instances

C.

Spot instances

D.

Standard Reserved instances

Question 29

A company uses an Amazon S3 bucket to store data files. The S3 bucket contains hundreds of objects. The company needs to replace a tag on all the objects in the S3 bucket with another tag.

What is the MOST operationally efficient way to meet this requirement?

Options:

A.

Use S3 Batch Operations. Specify the operation to replace all object tags.

B.

Use the AWS CLI to get the tags for each object. Save the tags in a list. Use S3 Batch Operations. Specify the operation to delete all object tags. Use the AWS CLI and the list to retag the objects.

C.

Use the AWS CLI to get the tags for each object. Save the tags in a list. Use the AWS CLI and the list to remove the object tags. Use the AWS CLI and the list to retag the objects.

D.

Use the AWS CLI to copy the objects to another S3 bucket. Add the new tag to the copied objects. Delete the original objects.

Question 30

A company runs a high performance computing (HPC) application on an Amazon EC2 instance The company needs to scale this architecture to two or more EC2 instances. The EC2 instances wilt need to communicate with each other at high speeds with low latency to support the application.

The company wants to ensure that the network performance can support the required communication between the EC2 instances.

What should a SysOps administrator do to meet these requirements?

Options:

A.

Create a cluster placement group. Back up the existing EC2 instance to an Amazon Machine Image (AMI). Restore the EC2 instance from the AMI into the placement group Launch the additional EC2 instances into the placement group

B.

Back up the existing EC2 instance to an Amazon Machine Image (AMI). Create a launch template from the existing EC2 instance by specifying the AMI. Create an Auto Scaling group and configure the desired instance count.

C.

Create a Network Load Balancer (NLB) and a target group. Launch the new EC2 instances and register them with the target group Register the existing EC2 instance with the target group. Pass all application traffic through the NLB.

D.

Back up the existing EC2 Instance to an Amazon Machine Image (AMI). Create additional clones of the EC2 instance from the AMI in the same Availability Zone where the existing EC2 instance is located.

Question 31

A SysOps administrator is preparing to deploy an application to Amazon EC2 instances that are in an Auto Scaling group. The application requires dependencies to be installed. Application updates are Issued weekly.

The SysOps administrator needs to implement a solution to incorporate the application updates on a regular basis. The solution also must conduct a vulnerability scan during Amazon Machine Image (AMI) creation.

What is the MOST operationally efficient solution that meets these requirements?

Options:

A.

Create a script that uses Packer. Schedule a cron job to run the script.

B.

Install the application and its dependencies on an EC2 instance. Create an AMI of the H£2 instance.

C.

Use EC2 Image Builder with a custom recipe to install the application and its dependencies.

D.

Invoke the EC2 Createlmage API operation by using an Amazon EventBridge scheduled rule.

Question 32

A SysOps administrator has launched a large general purpose Amazon EC2 instance to regularly process large data files. The instance has an attached 1 TB General Purpose SSD (gp2) Amazon Elastic Block Store (Amazon EBS) volume. The instance also is EBS-optimized. To save costs, the SysOps administrator stops the instance each evening and restarts the instance each morning.

When data processing is active, Amazon CloudWatch metrics on the instance show a consistent 3.000 VolumeReadOps. The SysOps administrator must improve the I/O performance while ensuring data integrity.

Which action will meet these requirements?

Options:

A.

Change the instance type to a large, burstable, general purpose instance.

B.

Change the instance type to an extra large general purpose instance.

C.

Increase the EBS volume to a 2 TB General Purpose SSD (gp2) volume.

D.

Move the data that resides on the EBS volume to the instance store.

Question 33

A Sysops administrator needs to configure automatic rotation for Amazon RDS database credentials. The credentials must rotate every 30 days. The solution must integrate with Amazon RDS.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

A.

Store the credentials in AWS Systems Manager Parameter Store as a secure string. Configure automatic rotation with a rotation interval of 30 days.

B.

Store the credentials in AWS Secrets Manager. Configure automatic rotation with a rotation interval of 30 days.

C.

Store the credentials in a file in an Amazon S3 bucket. Deploy an AWS Lambda function to automatically rotate the credentials every 30 days.

D.

Store the credentials in AWS Secrets Manager. Deploy an AWS Lambda function to automatically rotate the credentials every 30 days.

Question 34

A SysOps administrator is responsible for a legacy. CPU-heavy application The application can only be scaled vertically Currently, the application is deployed on a single t2 large Amazon EC2 instance The system is showing 90% CPU usage and significant performance latency after a few minutes

What change should be made to alleviate the performance problem?

Options:

A.

Change the Amazon EBS volume to Provisioned lOPs

B.

Upgrade to a compute-optimized instance

C.

Add additional t3. large instances to the application

D.

Purchase Reserved Instances

Question 35

A SysOps administrator recently configured Amazon S3 Cross-Region Replication on an S3 bucket

Which of the following does this feature replicate to the destination S3 bucket by default?

Options:

A.

Objects in the source S3 bucket for which the bucket owner does not have permissions

B.

Objects that are stored in S3 Glacier

C.

Objects that existed before replication was configured

D.

Object metadata

Question 36

A SysOps administrator is creating an Amazon EC2 Auto Scaling group in a new AWS account. After adding some instances, the SysOps administrator notices that the group has not reached the minimum number of instances. The SysOps administrator receives the following error message:

Which action will resolve this issue?

Options:

A.

Adjust the account spending limits for Amazon EC2 on the AWS Billing and Cost Management console

B.

Modify the EC2 quota for that AWS Region in the EC2 Settings section of the EC2 console.

C.

Request a quota Increase for the Instance type family by using Service Quotas on the AWS Management Console.

D.

Use the Rebalance action In the Auto Scaling group on the AWS Management Console.

Question 37

While setting up an AWS managed VPN connection, a SysOps administrator creates a customer gateway resource in AWS. The customer gateway device resides in a data center with a NAT gateway in front of it.

What address should be used to create the customer gateway resource?

Options:

A.

The private IP address of the customer gateway device

B.

The MAC address of the NAT device in front of the customer gateway device

C.

The public IP address of the customer gateway device

D.

The public IP address of the NAT device in front of the customer gateway device

Question 38

A SysOps administrator is deploying a test site running on Amazon EC2 instances. The application requires both incoming and outgoing connectivity to the internet.

Which combination of steps are required to provide internet connectivity to the EC2 instances? (Choose two.)

Options:

A.

Add a NAT gateway to a public subnet.

B.

Attach a private address to the elastic network interface on the EC2 instance.

C.

Attach an Elastic IP address to the internet gateway.

D.

Add an entry to the route table for the subnet that points to an internet gateway.

E.

Create an internet gateway and attach it to a VPC.

Question 39

A SysOps administrator is managing a Memcached cluster in Amazon ElastiCache. The cluster has been heavily used recently, and the administrator wants to use a larger instance type with more memory.

What should the administrator use to make this change?

Options:

A.

Use the ModifycacheCluster API and specify a new cacheNodeType.

B.

Use the createcacheciuster API and specify a new cacheNodeType.

C.

Use the Modi fyCacheParameterGcoup API and specify a new CacheNodeType.

D.

Use the Rebootcacheclustcr API and specify a new CacheNodeType.

Question 40

A SysOps administrator is investigating why a user has been unable to use RDP to connect over the internet from their home computer to a bastion server running on an Amazon EC2 Windows instance.

Which of the following are possible causes of this issue? (Choose two.)

Options:

A.

A network ACL associated with the bastion's subnet is blocking the network traffic.

B.

The instance does not have a private IP address.

C.

The route table associated with the bastion's subnet does not have a route to the internet gateway.

D.

The security group for the instance does not have an inbound rule on port 22.

E.

The security group for the instance does not have an outbound rule on port 3389.

Question 41

A company is using an Amazon Aurora MySQL DB cluster that has point-in-time recovery, backtracking, and automatic backup enabled. A SysOps administrator needs to be able to roll back the DB cluster to a specific recovery point within the previous 72 hours. Restores must be completed in the same production DB cluster.

Which solution will meet these requirements?

Options:

A.

Create an Aurora Replica. Promote the replica to replace the primary DB instance.

B.

Create an AWS Lambda function to restore an automatic backup to the existing DB cluster.

C.

Use backtracking to rewind the existing DB cluster to the desired recovery point.

D.

Use point-in-time recovery to restore the existing DB cluster to the desired recovery point.

Question 42

A company wants to track its AWS costs in all member accounts that are part of an organization in AWS Organizations. Managers of the

member accounts want to receive a notification when the estimated costs exceed a predetermined amount each month. The managers

are unable to configure a billing alarm. The IAM permissions for all users are correct.

What could be the cause of this issue?

Options:

A.

The management/payer account does not have billing alerts turned on.

B.

The company has not configured AWS Resource Access Manager (AWS RAM) to share billing information between the member accounts and the management/payer account.

C.

Amazon GuardDuty is turned on for all the accounts.

D.

The company has not configured an AWS Config rule to monitor billing.

Question 43

A company is running an application on a fleet of Amazon EC2 instances behind an Application Load Balancer (ALB). The EC2 instances are launched by an Auto Scaling group and are automatically registered in a target group. A SysOps administrator must set up a notification to alert application owners when targets fail health checks.

What should the SysOps administrator do to meet these requirements?

Options:

A.

Create an Amazon CloudWatch alarm on the UnHealthyHostCount metric. Configure an action to send an Amazon Simple Notification Service (Amazon SNS) notification when the metric is greater than 0.

B.

Configure an Amazon EC2 Auto Scaling custom lifecycle action to send an Amazon Simple Notification Service (Amazon SNS) notification when an instance is in the Pending:Wait state.

C.

Update the Auto Scaling group. Configure an activity notification to send an Amazon Simple Notification Service (Amazon SNS) notification for the Unhealthy event type.

D.

Update the ALB health check to send an Amazon Simple Notification Service (Amazon SNS) notification when an instance is unhealthy.

Question 44

An existing, deployed solution uses Amazon EC2 instances with Amazon EBS General Purpose SSD volumes, an Amazon RDS PostgreSQL database, an

Amazon EFS file system, and static objects stored in an Amazon S3 bucket. The Security team now mandates that at-rest encryption be turned on immediately for all aspects of the application, without creating new resources and without any downtime.

To satisfy the requirements, which one of these services can the SysOps administrator enable at-rest encryption on?

Options:

A.

EBS General Purpose SSD volumes

B.

RDS PostgreSQL database

C.

Amazon EFS file systems

D.

S3 objects within a bucket

Question 45

A SysOps administrator Is troubleshooting an AWS Cloud Formation template whereby multiple Amazon EC2 instances are being created The template is working In us-east-1. but it is failing In us-west-2 with the error code:

How should the administrator ensure that the AWS Cloud Formation template is working in every region?

Options:

A.

Copy the source region's Amazon Machine Image (AMI) to the destination region and assign it the same ID.

B.

Edit the AWS CloudFormatton template to specify the region code as part of the fully qualified AMI ID.

C.

Edit the AWS CloudFormatton template to offer a drop-down list of all AMIs to the user by using the aws :: EC2:: ami :: imageiD control.

D.

Modify the AWS CloudFormation template by including the AMI IDs in the "Mappings" section. Refer to the proper mapping within the template for the proper AMI ID.

Question 46

A new website will run on Amazon EC2 instances behind an Application Load Balancer. Amazon Route 53 will be used to manage DNS records.

What type of record should be set in Route 53 to point the website’s apex domain name (for example.company.com to the Application Load Balancer?

Options:

A.

CNAME

B.

SOA

C.

TXT

D.

ALIAS

Question 47

A company recently its server infrastructure to Amazon EC2 instances. The company wants to use Amazon CloudWatch metrics to track instance memory utilization and available disk space.

What should a SysOps administrator do to meet these requirements?

Options:

A.

Configure CloudWatch from the AWS Management Console tor all the instances that require monitoring by CloudWatch. AWS automatically installs and configures the agents far the specified instances.

B.

Install and configure the CloudWatch agent on all the instances. Attach an IAM role to allow the instances to write logs to CloudWatch.

C.

Install and configure the CloudWatch agent on all the instances. Attach an IAM user to allow the instances to write logs to CloudWatch.

D.

Install and configure the CloudWatch agent on all the instances. Attach the necessary security groups to allow the instances to write logs to CloudWatch

Question 48

A company's SysOps administrator manages a fleet of hundreds of Amazon EC2 instances that run Windows-based workloads and Linux-based workloads. Each EC2 instance has a tag that identifies its operating system. All the EC2 instances run AWS Systems Manager Session Manager.

A zero-day vulnerability is reported, and no patches are available. The company's security team provides code for all the relevant operating systems to reduce the risk of the vulnerability. The SysOps administrator needs to implement the code on the EC2 instances and must provide a report that shows that the code has successfully run on all the instances.

What should the SysOps administrator do to meet these requirements as quickly as possible?

Options:

A.

Use Systems Manager Run Command. Choose either the AWS-RunShellScript document or the AWS-RunPowerShellScript document. Configure Run Command with the code from the security team. Specify the operating system tag in the Targets parameter. Run the command. Provide the command history's evidence to the security team.

B.

Create an AWS Lambda function that connects to the EC2 instances through Session Manager. Configure the Lambda function to identify the operating system, run the code from the security team, and return the results to an Amazon RDS DB instance. Query the DB instance for the results. Provide the results as evidence to the security team.

C.

Log on to each EC2 instance. Run the code from the security team on each EC2 instance. Copy and paste the results of each run into a single spreadsheet. Provide the spreadsheet as evidence to the security team.

D.

Update the launch templates of the EC2 instances to include the code from the security team in the user data. Relaunch the EC2 instances by using the updated launch templates. Retrieve the EC2 instance logs of each instance. Provide the EC2 instance logs as evidence to the security team.

Question 49

A company hosts a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The company uses Amazon Route 53 to route traffic.

The company also has a static website that is configured in an Amazon S3 bucket.

A SysOps administrator must use the static website as a backup to the web application. The failover to the static website must be fully automated.

Which combination of actions will meet these requirements? (Choose two.)

Options:

A.

Create a primary failover routing policy record. Configure the value to be the ALB.

B.

Create an AWS Lambda function to switch from the primary website to the secondary website when the health check fails.

C.

Create a primary failover routing policy record. Configure the value to be the ALB. Associate the record with a Route 53 health check.

D.

Create a secondary failover routing policy record. Configure the value to be the static website. Associate the record with a Route 53 health check.

E.

Create a secondary failover routing policy record. Configure the value to be the static website.

Question 50

A company wants to apply an existing Amazon Route 53 private hosted zone to a new VPC to allow for customized resource name resolution within the VPC. The Syspps administrator created the VPC and added the appropriate resource record sets to the private hosted zone.

Which step should the SysOps administrator take to complete the setup?

Options:

A.

Associate the Route 53 private hosted zone with the VPC.

B.

Create a rule in the default security group for the VPC that allows traffic to the Route 53 Resolver.

C.

Ensure the VPC network ACLs allow traffic to the Route 53 Resolver.

D.

Ensure there is a route to the Route 53 Resolver in each of the VPC route tables.

Question 51

A company has attached the following policy to an IAM user:

Which of the following actions are allowed for the IAM user?

Options:

A.

Amazon RDS DescribeDBInstances action in the us-east-1 Region

B.

Amazon S3 Putobject operation in a bucket named testbucket

C.

Amazon EC2 Describe Instances action in the us-east-1 Region

D.

Amazon EC2 AttachNetworkinterf ace action in the eu-west-1 Region

Question 52

A SysOps administrator needs to give users the ability to upload objects to an Amazon S3 bucket. The SysOps administrator creates a presigned URL and provides the URL to a user, but the user cannot upload an object to the S3 bucket. The presigned URL has not expired, and no bucket policy is applied to the S3 bucket.

Which of the following could be the cause of this problem?

Options:

A.

The user has not properly configured the AWS CLI with their access key and secret access key.

B.

The SysOps administrator does not have the necessary permissions to upload the object to the S3 bucket.

C.

The SysOps administrator must apply a bucket policy to the S3 bucket to allow the user to upload the object.

D.

The object already has been uploaded through the use of the presigned URL, so the presigned URL is no longer valid.

Question 53

A SysOps administrator is evaluating Amazon Route 53 DNS options to address concerns about high availability for an on-premises website. The website consists of two servers: a primary active server and a secondary passive server. Route 53 should route traffic to the primary server if the associated health check returns 2xx or 3xx HTTP codes. All other traffic should be directed to the secondary passive server. The failover record type, set ID. and routing policy have been set appropriately for both primary and secondary servers.

Which next step should be taken to configure Route 53?

Options:

A.

Create an A record for each server. Associate the records with the Route 53 HTTP health check.

B.

Create an A record for each server. Associate the records with the Route 53 TCP health check.

C.

Create an alias record for each server with evaluate target health set to yes. Associate the records with the Route 53 HTTP health check.

D.

Create an alias record for each server with evaluate target health set to yes. Associate the records with the Route 53 TCP health check.

Question 54

A SysOps administrator creates an AWS CloudFormation template to define an application stack that can be deployed in multiple AWS Regions.

The SysOps administrator also creates an Amazon CloudWatch dashboard by using the AWS Management Console. Each deployment of the application requires its own CloudWatch dashboard.

How can the SysOps administrator automate the creation of the CloudWatch dashboard each time the application is deployed?

Options:

A.

Create a script by using the AWS CLI to run the aws cloudformation put-dashboard command with the name of the dashboard. Run the command each time a new CloudFormation stack is created.

B.

Export the existing CloudWatch dashboard as JSON. Update the CloudFormation template to define an AWS::CloudWatch::Dashboard resource. Include the exported JSON in the resource's DashboardBody property.

C.

Update the CloudFormation template to define an resource. Use the intrinsic Ref function to reference the ID of the existing CloudWatch dashboard.

D.

Update the CloudFormation template to define an AWS::CloudWatch::Dashboard resource. Specify the name of the existing

dashboard in the DashboardName property.

Question 55

A company is testing Amazon Elasticsearch Service (Amazon ES) as a solution for analyzing system logs from a fleet of Amazon EC2 instances. During the test phase, the domain operates on a single-node cluster. A SysOps administrator needs to transition the test domain into a highly available production-grade deployment.

Which Amazon ES configuration should the SysOps administrator use to meet this requirement?

Options:

A.

Use a cluster of four data nodes across two AWS Regions. Deploy four dedicated master nodes in each Region.

B.

Use a cluster of six data nodes across three Availability Zones. Use three dedicated master nodes.

C.

Use a cluster of six data nodes across three Availability Zones. Use six dedicated master nodes.

D.

Use a cluster of eight data nodes across two Availability Zones. Deploy four master nodes in a failover AWS Region.

Question 56

A company needs to implement a managed file system to host Windows file shares for users on premises. Resources in the AWS Cloud also need access to the data on these file shares. A SysOps administrator needs to present the user file shares on premises and make the user file shares available on AWS with minimum latency.

What should the SysOps administrator do to meet these requirements?

Options:

A.

Set up an Amazon S3 File Gateway.

B.

Set up an AWS Direct Connect connection.

C.

Use AWS DataSync to automate data transfers between the existing file servers and AWS.

D.

Set up an Amazon FSx File Gateway.

Question 57

A Sysops administrator has created an Amazon EC2 instance using an AWS CloudFormation template in the us-east-I Region. The administrator finds that this

template has failed to create an EC2 instance in the us-west-2 Region.

What is one cause for this failure?

Options:

A.

Resource tags defined in the CloudFormation template are specific to the us-east-I Region.

B.

The Amazon Machine Image (AMI) ID referenced in the CloudFormation template could not be found in the us-west-2 Region.

C.

The cfn-init script did not run during resource provisioning in the us-west-2 Region.

D.

The IAM user was not created in the specified Region.

Question 58

An organization created an Amazon Elastic File System (Amazon EFS) volume with a file system ID of fs-85ba4Kc. and it is actively used by 10 Amazon EC2 hosts The organization has become concerned that the file system is not encrypted

How can this be resolved?

Options:

A.

Enable encryption on each host's connection to the Amazon EFS volume Each connection must be recreated for encryption to take effect

B.

Enable encryption on the existing EFS volume by using the AWS Command Line Interface

C.

Enable encryption on each host's local drive Restart each host to encrypt the drive

D.

Enable encryption on a newly created volume and copy all data from the original volume Reconnect each host to the new volume

Question 59

A company runs a web application on three Amazon EC2 instances behind an Application Load Balancer (ALB). The company notices that random periods of increased traffic cause a degradation in the application's performance. A SysOps administrator must scale the application to meet the increased traffic.

Which solution meets these requirements?

Options:

A.

Create an Amazon CloudWatch alarm to monitor application latency and increase the size of each EC2 instance If the desired threshold is reached.

B.

Create an Amazon EventBridge (Amazon CloudWatch Events) rule to monitor application latency and add an EC2 instance to the ALB if the desired threshold is reached.

C.

Deploy the application to an Auto Scaling group of EC2 instances with a target tracking scaling policy. Attach the ALB to the Auto Scaling group.

D.

Deploy the application to an Auto Scaling group of EC2 instances with a scheduled scaling policy. Attach the ALB to the Auto Scaling group.

Question 60

A SysOps administrator manages a company's Amazon S3 buckets. The SysOps administrator has identified 5 GB of incomplete multipart uploads in an S3 bucket in the company's AWS account. The SysOps administrator needs to reduce the number of incomplete multipart upload objects in the S3 bucket.

Which solution will meet this requirement?

Options:

A.

Create an S3 Lifecycle rule on the S3 bucket to delete expired markers or incomplete multipart uploads

B.

Require users that perform uploads of files into Amazon S3 to use the S3 TransferUtility.

C.

Enable S3 Versioning on the S3 bucket that contains the incomplete multipart uploads.

D.

Create an S3 Object Lambda Access Point to delete incomplete multipart uploads.

Question 61

A SysOps administrator created an Amazon VPC with an IPv6 CIDR block, which requires access to the internet. However, access from the internet towards the VPC is prohibited. After adding and configuring the required components to the VPC. the administrator is unable to connect to any of the domains that reside on the internet.

What additional route destination rule should the administrator add to the route tables?

Options:

A.

Route ;:/0 traffic to a NAT gateway

B.

Route ::/0 traffic to an internet gateway

C.

Route 0.0.0.0/0 traffic to an egress-only internet gateway

D.

Route ::/0 traffic to an egress-only internet gateway

Question 62

A SysOps administrator wants to upload a file that is 1 TB in size from on-premises to an Amazon S3 bucket using multipart uploads. What should the SysOps administrator do to meet this requirement?

Options:

A.

Upload the file using the S3 console.

B.

Use the s3api copy-object command.

C.

Use the s3api put-object command.

D.

Use the s3 cp command.

Question 63

A webpage is stored in an Amazon S3 bucket behind an Application Load Balancer (ALB). Configure the SS bucket to serve a static error page in the event of a failure at the primary site.

1. Use the us-east-2 Region for all resources.

2. Unless specified below, use the default configuration settings.

3. There is an existing hosted zone named lab-

751906329398-26023898.com that contains an A record with a simple routing policy that routes traffic to an existing ALB.

4. Configure the existing S3 bucket named lab-751906329398-26023898.com as a static hosted website using the object named index.html as the index document

5. For the index-html object, configure the S3 ACL to allow for public read access. Ensure public access to the S3 bucketjs allowed.

6. In Amazon Route 53, change the A record for domain lab-751906329398-26023898.com to a primary record for a failover routing policy. Configure the record so that it evaluates the health of the ALB to determine failover.

7. Create a new secondary failover alias record for the domain lab-751906329398-26023898.com that routes traffic to the existing 53 bucket.

Options:

Question 64

If your AWS Management Console browser does not show that you are logged in to an AWS account, close the browser and relaunch the

console by using the AWS Management Console shortcut from the VM desktop.

If the copy-paste functionality is not working in your environment, refer to the instructions file on the VM desktop and use Ctrl+C, Ctrl+V or Command-C , Command-V.

Configure Amazon EventBridge to meet the following requirements.

1. use the us-east-2 Region for all resources,

2. Unless specified below, use the default configuration settings.

3. Use your own resource naming unless a resource

name is specified below.

4. Ensure all Amazon EC2 events in the default event

bus are replayable for the past 90 days.

5. Create a rule named RunFunction to send the exact message every 1 5 minutes to an existing AWS Lambda function named LogEventFunction.

6. Create a rule named SpotWarning to send a notification to a new standard Amazon SNS topic named TopicEvents whenever an Amazon EC2

Spot Instance is interrupted. Do NOT create any topic subscriptions. The notification must match the following structure:

Input Path:

{“instance” : “$.detail.instance-id”}

Input template:

“ The EC2 Spot Instance has been on account.

Options:

Question 65

You need to update an existing AWS CloudFormation stack. If needed, a copy to the CloudFormation template is available in an Amazon SB bucket named cloudformation-bucket

1. Use the us-east-2 Region for all resources.

2. Unless specified below, use the default configuration settings.

3. update the Amazon EQ instance named Devinstance by making the following changes to the stack named 1700182:

a) Change the EC2 instance type to us-east-t2.nano.

b) Allow SSH to connect to the EC2 instance from the IP address range

192.168.100.0/30.

c) Replace the instance profile IAM role with IamRoleB.

4. Deploy the changes by updating the stack using the CFServiceR01e role.

5. Edit the stack options to prevent accidental deletion.

6. Using the output from the stack, enter the value of the Prodlnstanceld in the text box below:

Options:

Demo: 65 questions
Total 425 questions